Comment and Version lines leak information

Anonymous Remailer nobody@mailtraq.net
Mon Aug 6 12:04:02 2001 

Frank Tobin writes:

>Anonymous, at 05:18 +0200 on Mon, 6 Aug 2001, wrote:

>> A security program should not, by default, leak information.

> 

> You're talking about anonymity, which is different from security.


Nothing was said about anonymity.


> The type of "security" you get from the measures you describe are

> merely obsfucation.


Word games aside, real security people don't go out of their way to
leak information.


> Furthermore, when developing a widely-distributed program such as

> GnuPG, and trying to ensure interoperability, it is very useful to

> know what what versions people are using.  Just like ssh and Apache,

> there is no attempt to hide what version the software is.


The version and comment strings are unused by the software.

Having used gpg and pgp steadily for years, and having provided a lot
of free support, I can state with confidence that these strings are of
little use because you have to ask "what are you using?" anyway.  In
the worst case, which I believe scarcely exists, you could turn on the
feature, even if it wasn't the default.

Further, the only reason you have to start asking about version is
because gpg generates unhelpful error messages when it gets a "wrong"
algorithm.  It should tell you exactly which algorithm it doesn't
like and why.

I had a bit of a problem with 1.0.4 or so.  My correspondent was using
a patched version of 1.0.4 which liked Rijndael.  My version, an
earlier version of 1.0.4, deprecated Rijndael.  The warning message I
got was completely unhelpful.  (It says something like "Deprecated
algorithm!" without further detail.)  And, the version string was
misleading because it was claiming we were running the same version of
the software.  I had to resort to printfs to figure it out.


> The choice to erase stuff from the comment string is up to the user.  But

> the benefits of the default comment, I feel, heavily outweigh any

> negatives.


This belief should be reconsidered.

Lest this message appear too negative: gpg is the best OpenPGP
compliant implementation and I recommend it frequently.  Thanks to
everybody who worked on it!